[RCBC-33] Crash caused by libc detecting buffer overflow Created: 30/Apr/12  Updated: 13/Nov/12  Resolved: 02/May/12

Status: Closed
Project: Couchbase Ruby client library
Component/s: library
Affects Version/s: None
Fix Version/s: None
Security Level: Public

Type: Bug Priority: Major
Reporter: Aleksey Kondratenko Assignee: Sergey Avseyev
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment: Debian GNU/Linux i386 sid (kept up to date)


 Description   
While trying to understand issue in MB-4493 (caused by our unusual auth behavior, which could be client "bug" as well) I tried the following from irb and here's what I got:

>> Couchbase.new(:hostname => "localhost", :port => 9000, :bucket => "pwprotected", :username =>"Administrator", :password=>"asdasd")
*** buffer overflow detected ***: irb terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xf7521f70]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe3eaa)[0xf7520eaa]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xf7520224]
/usr/lib/libcouchbase.so.1(+0x59c1)[0xf6c1b9c1]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:02 17341823 /usr/bin/ruby1.8
08049000-0804a000 r--p 00000000 08:02 17341823 /usr/bin/ruby1.8
0804a000-0804b000 rw-p 00001000 08:02 17341823 /usr/bin/ruby1.8
08b9b000-08fbd000 rw-p 00000000 00:00 0 [heap]
f6b79000-f6b95000 r-xp 00000000 08:02 17995831 /lib/i386-linux-gnu/libgcc_s.so.1
f6b95000-f6b96000 rw-p 0001b000 08:02 17995831 /lib/i386-linux-gnu/libgcc_s.so.1
f6b96000-f6bcb000 r--s 00000000 08:02 11171194 /var/cache/nscd/hosts
f6bcb000-f6c11000 r-xp 00000000 08:02 17736136 /usr/lib/libevent-2.0.so.5.1.6
f6c11000-f6c12000 rw-p 00046000 08:02 17736136 /usr/lib/libevent-2.0.so.5.1.6
f6c12000-f6c14000 r-xp 00000000 08:02 17736875 /usr/lib/libcouchbase_libevent.so.1.0.0
f6c14000-f6c15000 r--p 00001000 08:02 17736875 /usr/lib/libcouchbase_libevent.so.1.0.0
f6c15000-f6c16000 rw-p 00002000 08:02 17736875 /usr/lib/libcouchbase_libevent.so.1.0.0
f6c16000-f6c26000 r-xp 00000000 08:02 17736895 /usr/lib/libcouchbase.so.1.2.0
f6c26000-f6c27000 r--p 0000f000 08:02 17736895 /usr/lib/libcouchbase.so.1.2.0
f6c27000-f6c28000 rw-p 00010000 08:02 17736895 /usr/lib/libcouchbase.so.1.2.0
f6c28000-f6c33000 r-xp 00000000 08:02 16171260 /var/lib/gems/1.8/gems/yajl-ruby-1.1.0/lib/yajl/yajl.so
f6c33000-f6c34000 rw-p 0000a000 08:02 16171260 /var/lib/gems/1.8/gems/yajl-ruby-1.1.0/lib/yajl/yajl.so
f6c34000-f6f52000 rw-p 00000000 00:00 0
f6f52000-f7072000 r--p 001ee000 08:02 23382439 /usr/lib/locale/locale-archive
f7072000-f7272000 r--p 00000000 08:02 23382439 /usr/lib/locale/locale-archive
f7272000-f7311000 rw-p 00000000 00:00 0
f7311000-f732e000 r-xp 00000000 08:02 17995776 /lib/i386-linux-gnu/libtinfo.so.5.9
f732e000-f7330000 r--p 0001c000 08:02 17995776 /lib/i386-linux-gnu/libtinfo.so.5.9
f7330000-f7331000 rw-p 0001e000 08:02 17995776 /lib/i386-linux-gnu/libtinfo.so.5.9
f7331000-f7353000 r-xp 00000000 08:02 17995778 /lib/i386-linux-gnu/libncurses.so.5.9
f7353000-f7354000 r--p 00021000 08:02 17995778 /lib/i386-linux-gnu/libncurses.so.5.9
f7354000-f7355000 rw-p 00022000 08:02 17995778 /lib/i386-linux-gnu/libncurses.so.5.9
f7355000-f7389000 r-xp 00000000 08:02 17992855 /lib/i386-linux-gnu/libreadline.so.5.2
f7389000-f738d000 rw-p 00033000 08:02 17992855 /lib/i386-linux-gnu/libreadline.so.5.2
f738d000-f738e000 rw-p 00000000 00:00 0
f73b2000-f743d000 rw-p 00000000 00:00 0
f743d000-f7593000 r-xp 00000000 08:02 17995820 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
f7593000-f7594000 ---p 00156000 08:02 17995820 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
f7594000-f7596000 r--p 00156000 08:02 17995820 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
f7596000-f7597000 rw-p 00158000 08:02 17995820 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
f7597000-f759a000 rw-p 00000000 00:00 0
f759a000-f75be000 r-xp 00000000 08:02 17995814 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so
f75be000-f75bf000 r--p 00023000 08:02 17995814 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so
f75bf000-f75c0000 rw-p 00024000 08:02 17995814 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so
f75c0000-f75c9000 r-xp 00000000 08:02 17995801 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.13.so
f75c9000-f75ca000 r--p 00008000 08:02 17995801 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.13.so
f75ca000-f75cb000 rw-p 00009000 08:02 17995801 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.13.so
f75cb000-f75f2000 rw-p 00000000 00:00 0
f75f2000-f75f4000 r-xp 00000000 08:02 17995803 /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so
f75f4000-f75f5000 r--p 00001000 08:02 17995803 /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so
f75f5000-f75f6000 rw-p 00002000 08:02 17995803 /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so
f75f6000-f75fd000 r-xp 00000000 08:02 17995828 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
f75fd000-f75fe000 r--p 00006000 08:02 17995828 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
f75fe000-f75ff000 rw-p 00007000 08:02 17995828 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
f75ff000-f7600000 rw-p 00000000 00:00 0
f7600000-f7615000 r-xp 00000000 08:02 17995797 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
f7615000-f7616000 r--p 00014000 08:02 17995797 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
f7616000-f7617000 rw-p 00015000 08:02 17995797 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
f7617000-f7619000 rw-p 00000000 00:00 0
f7619000-f7703000 r-xp 00000000 08:02 17736598 /usr/lib/libruby1.8.so.1.8.7
f7703000-f7706000 rw-p 000e9000 08:02 17736598 /usr/lib/libruby1.8.so.1.8.7
f7706000-f7716000 rw-p 00000000 00:00 0
f7717000-f771e000 r-xp 00000000 08:02 17736748 /usr/lib/libvbucket.so.1.1.0
f771e000-f771f000 r--p 00006000 08:02 17736748 /usr/lib/libvbucket.so.1.1.0
f771f000-f7720000 rw-p 00007000 08:02 17736748 /usr/lib/libvbucket.so.1.1.0Aborted



 Comments   
Comment by Sergey Avseyev [ 30/Apr/12 ]
Is it possible to get the line in libcouchbase which called strcpy?

/usr/lib/libcouchbase.so.1(+0x59c1)[0xf6c1b9c1]

Also what versions of libcouchbase/libvbucket/gem are you using?
Comment by Aleksey Kondratenko [ 30/Apr/12 ]
# dpkg -l '*couchbas*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=====================================================-=====================================================-==========================================================================================================================
ii libcouchbase-dev 1.0.2-1 library for the Couchbase protocol, development files
ii libcouchbase1 1.0.2-1 library for the Couchbase protocol
Comment by Aleksey Kondratenko [ 30/Apr/12 ]
 gem list --local | grep couchbase
couchbase (1.1.1)
Comment by Aleksey Kondratenko [ 30/Apr/12 ]
Program received signal SIGABRT, Aborted.
0xf7fe0430 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fe0430 in __kernel_vsyscall ()
#1 0xf7d0b941 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xf7d0ed72 in *__GI_abort () at abort.c:92
#3 0xf7d452f5 in __libc_message (do_abort=2, fmt=0xf7e18608 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0xf7dc5f70 in *__GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:32
#5 0xf7dc4eaa in *__GI___chk_fail () at chk_fail.c:29
#6 0xf7dc4224 in __strcpy_chk (dest=0x83975d0 "s", src=0x80fbfc8 "simple", destlen=6) at strcpy_chk.c:61
#7 0xf7fc59c1 in ?? () from /usr/lib/libcouchbase.so.1
#8 0xf7fc6a91 in ?? () from /usr/lib/libcouchbase.so.1
#9 0xf7a27e79 in event_base_loop () from /usr/lib/libevent-2.0.so.5
#10 0xf7fbca38 in ?? () from /usr/lib/libcouchbase_libevent.so.1
#11 0xf7fcbdca in libcouchbase_wait () from /usr/lib/libcouchbase.so.1
#12 0xf7fd5169 in do_connect (bucket=0x82de188) at couchbase_ext.c:1196
#13 0xf7fd76e7 in cb_bucket_init (argc=1, argv=0xffffc960, self=4156170480) at couchbase_ext.c:1300
#14 0xf7ef3ace in call_cfunc (argv=0xffffc960, argc=1, len=-1, recv=4156170480, func=0xf7fd7610 <cb_bucket_init>) at eval.c:5778
#15 rb_call0 (klass=4156186100, recv=4156170480, id=2961, oid=2961, argc=1, argv=0xffffc960, body=0xf7ba5c78, flags=2) at eval.c:5928
#16 0xf7ef3d31 in rb_call (klass=4156186100, recv=4156170480, mid=2961, argc=1, argv=0xffffc960, scope=1, self=<optimized out>) at eval.c:6176
#17 0xf7ef40ec in rb_funcall2 (recv=4156170480, mid=2961, argc=1, argv=0xffffc960) at eval.c:6312
#18 0xf7ef419a in rb_obj_call_init (obj=4156170480, argc=1, argv=0xffffc960) at eval.c:7825
#19 0xf7fd456e in cb_bucket_new (argc=1, argv=0xffffc960, klass=4156186100) at couchbase_ext.c:1227
#20 0xf7ef3ace in call_cfunc (argv=0xffffc960, argc=1, len=-1, recv=4156186100, func=0xf7fd44d0 <cb_bucket_new>) at eval.c:5778
#21 rb_call0 (klass=4156186080, recv=4156186100, id=3361, oid=3361, argc=1, argv=0xffffc960, body=0xf7ba5cf0, flags=0) at eval.c:5928
#22 0xf7ef3d31 in rb_call (klass=4156186080, recv=4156186100, mid=3361, argc=1, argv=0xffffc960, scope=0, self=<optimized out>) at eval.c:6176
#23 0xf7ef9409 in rb_eval (self=4155198180, n=0xf7ab5ef8) at eval.c:3506
#24 0xf7ef3061 in rb_call0 (klass=4156171320, recv=4155198180, id=3361, oid=15945, argc=<optimized out>, argv=<optimized out>, body=0xf7ab5ea8, flags=0) at eval.c:6079
#25 0xf7ef3d31 in rb_call (klass=4156171320, recv=4155198180, mid=3361, argc=1, argv=0xffffce90, scope=0, self=<optimized out>) at eval.c:6176
#26 0xf7ef9409 in rb_eval (self=4157462860, n=0xf7c9b4ac) at eval.c:3506
#27 0xf7effb3d in ruby_exec_internal () at eval.c:1654
#28 0xf7effb90 in ruby_exec () at eval.c:1674
#29 0xf7f022cc in ruby_run () at eval.c:1684
#30 0x0804868d in main (argc=6, argv=0xffffd394, envp=0xffffd3b0) at main.c:48
Comment by Aleksey Kondratenko [ 30/Apr/12 ]
simple is pwprotected's bucket password. Not sure if it's good idea to use it at all btw
Comment by Sergey Avseyev [ 30/Apr/12 ]
http://review.couchbase.org/14641 it was fixed

try to use

   deb http://packages.couchbase.com/preview/ubuntu oneiric oneiric/main

or

  deb http://packages.couchbase.com/preview/ubuntu lucid lucid/main

And then install preview couchbase gem: gem install couchbase --pre

(you'll also get Views API btw)
Comment by Sergey Avseyev [ 02/May/12 ]
The problem fixed in libcouchbase 1.0.3: http://couchbase.com/develop/c/current
Generated at Thu Nov 27 18:28:45 CST 2014 using JIRA 5.2.4#845-sha1:c9f4cc41abe72fb236945343a1f485c2c844dac9.